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*  National  security 
laboratory 


*  Our  Primary  mission 
is  nuclear  weapons 

•  responsible  for  more 
than  95%  of  weapon 
components 

*  Nearly  1/4  of  our  work 
supports  DoD  and 
intelligence 
community 

*  Broader  mission  in 
science  and 
engineering  to  meet 
national  needs 


What  Is  Sandia 
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Tonopah  Test  Range 
Nevada 


Kauai  Test  Facility 
Hawaii 


Sandia  Is  Distributed 
Across  Many  Sites 


Livermore, Caiifornia 


Sandia-in  Round 

Numbers 


•  7,500  full-time  employees 

-  ~6,600  in  New  Mexico 

-  ~900  in  Caiifornia 

•  700  buildings,  6M  sq.  ft. 

•  1,400  Ph.D.’s,  2,100  Masters 

-  54%  engineering 

-  24%  science  and  mathematics 

-  22%  computing  and  other 

•  Annual  budget  $1400M 
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Infrastructure  and  Information  Systems 

Engineering  Center  (6500) 

Business  Area  Domains 


Sam  Varnado,  Director 

Ron  Trellue,  Deputy  Directo 
Technology  Development 

Larry  Ellis,  Deputy  Director 
Strategic  Development 


Proiect/Technoloqy  Domains 


Information  assurance  and 
survivability  for  national 
security  systems. 


Satellite-based  sensor 
information  systems. 


Decision  support  systems  for 
distributed  and  other 
Environments. 


Mission/Solution  Engineering 

-  Life-cycle  SW  Engineering 

-  Decision  Support  Systems 

-  High-integrity  real-time  software 
systems 

-  Critical  infrastructure  protection 

-  Information  assurance  solutions 
for  DOE,  DoD,  and  other  agencies 

-  Secure  Ad-Hoc  Wireless  Systems 


Domains 

-  Architectures  &  Frameworks 

-  Real-time  Systems 

-  Event/Signal  Processing 

-  Distributed  Environments 

-  Modeling  &  Simulation 

-  Knowledge  Generation 

-  Information  Security 

-  IT  Assessments 


Technologies 

-OODB 

-XML 

-  CORBA,  RMI 

-  Java,  Ch — h 

-  Intelligent  Agents 
-GIS 

-  Web  Apps 


lA/IO  Modeling  & 
Simulations 


Communications  modeiing 

>  Vulnerabilities  in  Wireless  Ad  Hoc 
Networks 

>  Simulations  of  Wireless  Ad  Hoc 
Networks 

>  lA  Overhead  in  Wireless  Ad  Hoc 
Networks 

>  lA  for  wireless  ad-hoc  networks 

(With  robots  in  urban  conflict 
environments) 

>  Network  devices 

Cryptographic  research 

>  Efficient,  low  power  signature  algorithms 

>  Secure,  wireless  communications 

>  Proactive,  threshold  cryptography 

>  Surety  for  SCADA  systems 

>  Anonymous,  authenticated 
communications 


Critical  infrastructure  simulation 

>  Agent-based  micro  simulation 
(ASPEN  modeling  tool) 

>  NISAC  program 

>  SCADA  testbed  simulations 


Analysis  tools 

>  Graphic-based  network 
vulnerability 

>  Modeling  behavior  of  the  cyber¬ 
terrorist 
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— 

Communications  Research 


>  Vulnerabilities  in  Wireless 
Ad  Hoc  Networks 

>  Simulations  of  Wireiess  Ad 
Hoc  Networks 

>  I A  Overhead  in  Wireless  Ad 
Hoc  Networks 

>  Network  Devices 


Systems  Approach  to  the  Wireless 
Communications  Environment 


Wireless  Environment 

•  Resource  Constraints 

-  RF  Bandwidth 

-  CPU  Limitations 

-  Battery  Size 

•  RF  Stressors  &  Issues 

-  Environmental  Interference 

-  Terrain  Interference 

-  Adversarial  Interference 

-  Covertness;  LPI/LPD 

-  Antenna  Placement 

•  Network 

-  Dynamic  Topology  &  Mobility 

-  Scalability,  Performance 


•  Cryptography 

-  Low- Power  Approaches 

-  Threshold 

•  Non-Cryptography 

-  Redundant  Routes 

-  Source  Initiated  Route  Switching 

-  Onion  Routing 

-  Encapsulation 

-  Sequence  Numbers/Time  Stamp 

-  Intrusion  Detection 
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Vulnerabilities  in  Wireless  Ad 

Hoc  Networks 


Research  of  Vulnerabilities  in 
Wireless  Ad  Hoc  Networks 


Objective: 

Identify  vulnerabilities  in  wireless  ad 
hoc  networks  that  adversaries  can 
exploit  to  reduce  or  eliminate 
effectiveness  of  network. 

Relevance: 


Adversary  Node 


Vulnerabilities  and  exploits  must  be 
clearly  identified  to  develop  lA 
techniques  and  approaches. 


Status: 

Network  vulnerabilities  and 
techniques  to  exploit  have  been 
identified  and  described  in  a  report. 


Contact:  Brian  Van  Leeuwen,  bpvanle@sandia.gov 
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Oii 


Simulations  of  Wireless  Ad  Hoc 

Networks 


Stimulations  of  Wireless  Ad 


Objective: 


Hoc  Networks 


ge  of  Traffic  Sink.End-to-End  Delaj 

Object:  sink  of  Campus  Network. mobile_node_1 
Object:  sink  of  Campus  Network. mobile_node_2 
Object:  sink  of  Campus  Network. mobile_node_3 
Object:  sink  of  Campus  Network. mobile_node_4 

average  of  Traffic  Sink.End-to-End  Delay  (seconds) 


■V 


Proactive 
Routing  for 
Intrazone 
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Reactive 
Routing  for 
Interzone 


GO-  . 


Develop  simulations  to  evaluate  the 
performance  and  practicality  of  mobile 
wireless  protocols. 

Relevance: 

Various  routing  and  MAC  protocols  have 
been  proposed  and  their  performance 
must  be  evaluated  for  their  effectiveness 
before  implementation  into  systems. 

Status: 

Implemented  model  of  the  Zone  Routing 
Protocol  in  OPNET  to  evaluate 
performance  issues  such  as:  scalability, 
control  overhead,  and  network 
convergence. 

-  With  and  without  high-fidelity 
representation  of  MAC  layer  protocol 

-  With  and  without  cryptographic 

- overheads — 


Contact:  Brian  Van  Leeuwen,  bpvanle@sandia.gov 
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Research  of  lA  Overhead  in 
Wireless  Ad  Hoc  Networks 


Node  Model:  bv0401radiomanet_LS 

□IhU  1 

'1  .''|[l|[l|[l|i]|[i]|[l|i]| 

—  — — 

II 

II 

LLU 

Data  Overhead 
Processing  Latency 
Queue  Latency 


I A  Overhead  In  Wireless  Ad  Hoc 

Networks 


Objective: 

Identify  overhead  impacts  of 
cryptographic  security  approaches  in 
mobile  wireless  ad  hoc  networks. 


Relevance: 

Cryptography  consumes  significant 
node  and  network  resources.  In 
resource  constrained  wireless  systems 
these  overheads  will  degrade  network 
performance. 


Status: 


Simulations  are  being  executed  and 
data  is  being  collected. 

Contact:  Brian  Van  Leeuwen,  bpvanle@sandia.gov 


y  =  ^  +  ax  +  b 
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Terrain  and  Environmental  Effects 
on  Wireless  Information  Assurance 
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Objective: 

Enhance  system  simulations  by 
incorporating  the  effects  of 
environment  on  mobile  wireless 
communications.  This  will  be  done  by 
integrating  statistical  error  allocation 
into  the  communication  simulations 
with  Sandia’s  Umbra  system  level 
simulator. 

Relevance: 

Accurate  modeling  of  terrain  and  other 
environmental  stressors  will  improve 
information  assurance  (lA)  design  in 
wireless  communication  systems. 
Improved  wireless  lA  design  will 
enhance  overall  performance  of  fielded 
systems. 

Status: 

_ Activities  begin  in  October,  2001 
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Control  Plan  Security  for 
Wireless/wired  Gateway 


Goal:  To  minimize  the  impact  of  security  protocols  while 
maintaining  the  security  robustness  at  the  transition 
between  wired  and  wireless  networks. 

Approach:  The  interaction  between  security  protocols 
at  the  wired/wireless  interface  will  be  investigated  for 
vulnerabilities,  which  will  guide  modifications  to  the 
security  protocols  and  system  configurations  to 
reduce  the  security  risk  at  the  interfaces. 


Contact:  Brian  Van  Leeuwen,  bpvanle@sandia.gov 
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Generalized  Signature-based 
Intrusion  Detection  using  Adaptive 

Critic  Designs 


Exploit 

Classes 


Feature 
Space 


Exploit 

Signatures 


Generalized  Signature-Based 
Intrusion  Detection 


PROBLEM: 

•  Novel  attacks  are  hard  to  detect. 

•  Signature-based  ID  is  too  narrow  -  can’t  detect  new  exploits. 

High  incidence  of  Type  I  events 

•  Anomaly  detection  is  too  broad  -  detects  too  many 
anomalies,  many  of  which  aren’t  exploits. 

High  incidence  of  Type  II  events 

OBJECTIVE/APPROACH: 


GOAL: 

Develop  techniques  to 
detect  novel  attacks/exploits. 


•  Generalized  Signature-based  ID 

•  Start  with  known  exploit  signatures  and  “grow”  exploit  classes. 

•  Train  an  ID  to  learn  boundaries  of  exploit  classes. 

•  Able  to  detect  novel  exploits  that  are  similar  to  known  exploits. 
•Use  Adaptive  Critic  Designs  (ACDs)  for  generalized 
signature-based  intrusion  detection. 


Contact:  Tim  Draelos,  tjdrael@sandia.gov 
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Critical  Infrastructure  Simulation 


>  Agent-based  Micro  Simulation 
(ASPEN  Modeling  Tool) 

>  NISAC 

>  SCADA  Test  bed 


I*hysical  Threats 


The  Nation’s  Infrastructure  | 
Faces  a  Broad  Spectrum  of  I 

 Threats  I 


-  Terrorists 

-  Aging  and  degradation 

-  Naturai  disasters 

Cyber  Threats 

-  Malicious  intrusion 

-  Inadvertent  error 

-  Insider  Threat 

System  Complexity 

-  Increasing  number  of 
interconnections  and 
automation 

-  Cascading  effects 

-  Increasing  interdependencies 

-  Electric  industry  restructuring 


Photograph  by  Jim  Argo;  ©1995,  The  Okiahoma  Pubiishing  Company 
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How  can  complex 
infrastructure  systems  be 
_ analyzed? 


Microanalytic  Modeling 


•  A  conceptual  shift  from  a  mathematical 
description  of  an  entire  system  to 
specification  of  the  behavior  of  individual 
agents. 

•  Agents  make  real  life  decisions.  Non¬ 
linear  effects  are  explicitly  treated. 

•  Agents  employ  evolutionary  iearning 
models  which  are  focused  on  optimizing 
utility. 


Contact:  Dianne  Barton,  dcmaroz@sandia.gov 
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III 

struetion  Bank  Federal  Reserve  Power  Generation 

Wip  have  the  ability  to  quickly  develop  new 
agents  or  draw  upon  our  current  library  of 
agent  types  and  modeling  expertise  to  build 
exactly  the  simulation  that  a  customer  requests 


Finaneial  Intermediary 


%  r 


J  V. 


Trains 


Train  Dispatcher 


Transmission 


ISO 


Oil  Producer 


Real  Estate 


‘Disaster”  Agent  Weather  Fuel  Supplier  Comm  Company  Refinery 


CommASPEN 


An  agent  based  model  that  simulates  the  role  of 
telecommunication  on  critical  infrastructure  interdependencies 

Communication  agents  (CommCo  Agent)  are  generaiized  suppiiers  of 
communication  service  in  the  modei. 

The  modei  simuiates  how  teiecommunication  infrastructure  affects  the 
exchange  of  information  and  services  between  agents  and  the  dependence  of 
teiecommunication  on  sectors  iike  power. 


Using  Agent 


◄ 


►  Providing  Agent 


Comm  status 
is  okay 


CommCo  Agent  1 


receives/sends  messages 


tests  on/off  status  of  media 
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NISAC  Program 


A  partnership  between  LANL  and  SNL  that  will  leverage 
existing  research  and  development  activities  to  support 
industry  and  government  agencies  in  protecting  the  criticai 
infrastructure  to  enhance  nationai  security. 

MISSION:  to  improve  the  nation’s  security  and  the  robustness  of  the 
nation’s  infrastructure  by  establishing  a  state-of-the-art  modeling 
and  simuiation  environment  that  will: 

•  Provide  the  most  advanced  analysis  expertise  for 
understanding  infrastructure  interdependencies, 
vuinerabilities,  and  system  compiexities; 

•  Determine  the  consequences  of  infrastructure  outages;  And. 

•  Optimize  protection  and  mitigation  strategies. 

Contact:  Jennifer  Nelson,  jenelso@sandia.gov 
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Potential  Users  &  Applications  of 

NISAC 


Private 

Industry 


Infrastructure 
Vulnerability 
Analysis  &  Mitigatij 
Trade-offs 

Federal,  Sta^ &  Local 
Gcpt^rnment 
Agencies 

FEMA 

National  Guard 
DoJ 
DOE 


H 

^  -s 

1 

National  Security 

•  DTRA 

•  CINCS 
•JPO 

•  Intel 

Community 

Planning^ 
Protection 
&Training 


Emergency 
Response 
Contingency 
Planning 


Universities 


Government  Policy  Consequence 

R?Analysis  smMHIga^mnr&iQs 

Management 


Education 
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PROBLEM: 


•  Supervisory  control  and  data  acquisition  (SCAD A)  systems 
are  used  to  control  many  critical  infrastructures. 

•  Historically,  security  has  not  been  included  in  SCADA 
components  or  architectures. 

•  A  facility  is  needed  to  analyze  SCADA  security  and  to  test 
and  validate  new  SCADA  security  concepts. 

OBJECTIVE/APPROACH: 


Develop  a  testbed  with  representative  elements  of  a  SCADA  system. 

Perform  vulnerability  assessments  and  security  exercises  on  SCADA  systems 
and  hardware/software  components. 

Develop  new  security  concepts  and  methodologies. 

Model  and  simulate  operational  SCADA  systems. 

Educate  stakeholders  about  SCADA  security  issues. 


SUB-MASTER 
STATION 


Contact:  Juan  Torres,  jjtorre@sandia.gov 


SUB-MASTER 
STATION  M 
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— 

Modeling  Tools 


> Modeling  Behavior  of  the  Cyber¬ 
terrorist 

>Graph-based  Network 
Vulnerability 


How  do  we  model 
adversaries 
to  an  information  system? 


Variables  in  our  models  include: 


•  Sophistication  -  Hacker,  terrorist,  nation  state,  foreign  intelligence...  ? 

A  terrorist  organization  or  smail  nation  state 


•  Resources  -  Money  &  “magical  powers” 

Weli  funded  can  afford  skiils  and  assistance  to  learn  all  design 

information 

•  Mission  -  What  is  the  adversary’s  overall  goal? 

Has  specific  goals  &  objectives  generally  to  limit  effectiveness 

of  a  critical  info  system. 

•  Risk  Tolerance  ■  How  hard  does  the  adversary  avoid  detection? 

Risk  averse,  but  very  creative  &  very  clever... 


Most  common  adversary  model: 
Cyber-terrorist 
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So  ph  istication 


Adversary  Types 


Foreign 

Organized  Intelligence 
Crime /Cyber 
Terrorist 

Professional 

Hacker 

Advanced 

Novbe 


Naive  Novbe 


Cyber-terrorist  Model 


/ 

/ 

/ 

/ 

/ 

/ 

^  start 

intellioence 

1  ntelligence 

Gathering 

/ 

Pre paration  & 
Develo  pment 

Liv  e  Network 
Disc  every 

/ 

Notes: 

[1]  Success  includes  stealth, 
objective,  and  other  pa lam  eters. 


/ 

/ 

Test,  Practice 

&  Replan 

/ 

Adversary  Time  Expenditure  (%) 


□  Intelligence/Logistbs 
D  Live/System  Discovery 
H  Detailed  Preparations 
n  Testing  &  Practice 
H  Attack  Execution 


Adversary  Attack  Timeline 


Intelligence /Logistics 
Detailed  Preparations 
Live/System  Discovery 
Testing  &  Practice 
Attack  Execution 
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Graph  Based  Network 

Vulnerability 


•  GOAL:  To  provide  a  state-of-the  art  tool  which  will  perform  a 
quantitative  analysis  of  computer  networks 

-  Identify  sets  of  exploitable  vulnerabilities 

-  Means  to  compare  deployed  and  proposed  architectures 

•  Examine  configuration  options  and  new  equipment 
integration 

•  Policy  issues  for  a  given  mission/network  system 

-  Suggest  optimal  defense  placement  and  response  options 

•  Determine  attack  path  defeat  (blocking) 

-  Use  formal  methods  to  enumerate  network  threats  and  attack  paths 

Contact:  Dave  Ellis,  dellis@sandia.gov 
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— 

Why  This  Research  Is  Important 


•  Identify  likely  list  of  paths  to  attack  a  goal  or  list  of  paths 
from  an  entry  point 

•  Identify  the  most  criticai  nodes  and  edges  for  a  given  set  of 
metrics  and  attacks 

•  Evaluate  the  cost/benefit  in  network  design 

•  Suggest  the  most  cost-effective  defense  placement 

•  Evaluate  security  metrics 

(e.g.,  time  to  attack,  probability  of  detection) 

Customers 

•  DARPA  Information  Assurance  Science  and  Engineering 
Tools  Program  (I ASET) 

•  Other  government  agency 
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►Potentially  link  to  intrusion 


(hardware  and  software) 


detection  systems 
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Network  Topology/Configuration  Qrapi,  Generator 


Sources  of 
Exploits 

-  experts 

-  commercial 
tools 

-  non  commercial 
tools 

Risk  Metrics 

-  Cost/Effort 

-  Prob.  Of  Success 

-  Prob.  Of  Detection 
-Time 

-  etc.  _ 


List  of  Exploits 

-Innd  mailbug 
-rlogin  subvert 
-suid_eject 
-trojan  A 
-anon_ftp  C 
-install  sniffer 
-NTGetAdmin 
-etc. 


p=.9 


p=.6 


Attack  Graph 

•Identify  set  of  most  likely  attack  paths 
•Identify  most  critical  nodes  and  edges 
•Suggest  cost-effect  defense  placement 
•Use  as  a  testbed  for  evaluating  metrics 
•Suggest  red-team  attack  sequences 
•Link  to  intrusion  detection  systems 


Exploits 


Ordered  Attacks 


New  Capabilities 


•  Identify  most  significant  attack  paths  based  on  user-defined 
criteria  (e.g.,  Attacker’s  cost,  probability  of  success,  latency) 

•  Identify  critical  combinations  of  known  attacks  which  highlight 
possible  exploitable  vulnerabilities 

•  Model  attacks  with  more  granularity  and  realism: 

-  Account  for  learning  behavior  and  different  types  of  attackers 

-  Model  dynamic  aspects  of  network  (reconfiguration  on  the  fly) 

•  Defense  placement  algorithms: 

•  Develop  methods  to  determine  optimal  ways  to  increase 

shortest  paths  where  multiple  edge  weights  can  be  increased  by 
a  single  action.  This  will  allow  one  to  determine  the  defense 
placement  actions  with  the  highest  benefit. 

•  Complex  display/visualization  tools 
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Comparison  to  Existing  Toois 


•  Analysis  and  Configuration  tools 

-  Check  list  of  services  or  conditions  on  each  machine  on  a 
network 

(e.g.  Internet  Security  Systems’  Scanners,  Microsoft’s  SMS) 

-  Don't  consider  the  network  as  a  whoie,  how  vuinerabiiities 
on  individuai  machines  can  be  ieveraged  in  a  fuii  attack 

-  Our  tooi  uses  information  from  configuration  management 
toois  and  scanning  toois  as  input 

•  Intrusion  Detection  Systems 

-  Look  for  specific  “signatures”  or  patterns  indicating  iikeiy 
attack 

-  Our  system  wouid  be  compiementary,  generating  an  attack 
graph  forward  from  suspected  security  vioiation, 
suggesting  detector  piacement. 
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Why  this  research  is  hard 


•  Potential  set  of  attack  methods  is  very  large 

•  Need  to  identify  what  requirements  (e.g.,  OS  type,  processes 
running,  privilege  level,  etc.)  are  necessary  for  various  attacks  and 
if  those  requirements  are  present  on  the  network  and  where 

•  Huge  number  of  “matching”  operations  to  match  attack  templates 
against  network  configuration  ^  combinatorial  explosion  of  the 
attack  graph 

•  Need  to  find  algorithms  and  heuristics  to  correctly  and  efficiently 
prune  the  graph 

BASIS  FOR  CONFIDENCE 

•  We  have  demonstrated  graph  generation  on  a  small  scale,  have 
developed  pruning  algorithms,  and  have  pulled  real  network 
information  from  databases  to  populate  the  graph 
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•  The  next  set  of  slides  will  walk  you  through 
screen  shots  of  our  tool,  including  the  following 
steps: 

-  Entering  attack  template  information 

-  Generating  machine  configuration  data 

-  Specifying  parameters  for  the  graph  generation  and 
running  it 

-  Viewing  the  attack  graph 
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Insider  Testbed  Simulator 


,  SubnetA  Machine  2 
Machine  1  Windows  2000 

Windows  NT  4.0  File  Server 

User  Workstation  Telnet  Servrice  Loaded , 


DomainA 

Low 

Assurance 


Machine  3  SubNetC 
Windows  2000 
ctive  Directory 
Admki  Terminal  Services 


— 

Insider  Testbed  Simulator 


•  Modeling  an  insider  attack  from  a  low  assurance  domain  to 
a  high  assurance  domain 

-  Eight  machines,  5  subnets,  3  domains 

-  Twenty  attack  tempiates 

•  Basic  attack  sequence  involves: 

-  Capturing  domain  accounts  on  iocai  machine 

-  Using  domain  accounts  to  activate  remote  services 

-  Using  services  to  obtain  remote  access  and/or  command 
execution  (e.g.  NFS,  windows  file  sharing,  teinet,  terminal  services) 

-  Escaiating  priviieges 

-  Repeating  above  steps 

-  And  finaiiy  read/write  data  on  a  target  machine 
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Attack  Template 


•  Contains  information  about  state  transitions  in  known  or  hypothesized 
attacks  steps 

•  Template  contains: 

-  representation  of  subject  application  and  object  action  process 

-  list  of  requirements  or  conditions  that  must  be  satisfied  for  state  transition  to  occur 
(note:  we  are  adding  the  capability  for  arbitrary  logic:  requirement  1  AND 
(requirement  2  OR  requirement  3) 

-  list  of  vulnerabilities  or  capabilities  created  or  exposed  as  a  result  of  the  state 
transition  (e.g.  reading  files  without  proper  authorization,  planting  a  trojan  horse, 
etc.) 

-  communications  path 

-  edge  weight  (consequence  metric  of  interest) 


FTP  Template 
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Attack  Template  Creation 


Attack  Template 


Template  Number:  10 
T  emplate  N  ame:  |  telnet  server  on  1 
Description: 


-Edge  Weight - 

New  I  Edit 


telnet  server  on 


Delete 


90 


Probability  of  Success 


-Subject  Access  Process  Requirements- 


Location 

Required 

Type 

Source 

Yes 

CPU  Type 

Source 

Yes 

OS  Type 

Source 

Yes 

Services  Process 

.iJ 

Value _ 

Intel  Pentium  II  processor 
Microsoft  Windows  2000  Professions 
Tints  vr 


Object  Action  Process  Requirements- 


Location 

Required 

Type 

Value 

Destination 

Yes 

CPU  Type 

Intel  Pentium  II  processor 

Destination 

Yes 

OS  Type 

Microsoft  Windows  2000  Professions 

Destination 

Yes 

Services  Process 

Tints  vr  ^ 

d 

_ 1  2} 

-New  State  Requirements- 


-Additional  Requirements- 


New 


Edit 


Delete 


New 


Edit 


Delete 


Location 

Required 

Type 

Value 

New  1 

OAP 

Yes 

Services  Process 

TIntSvr-Running 

Edit 

Delete 

Location 

Required 

Type 

Value 

New 

Edit 

Delete 

New 


□  pen 


Update 


Write 


Cancel 


Quit 


This  is  the  main  form 
for  creating  attack 
templates.  The  user 
specifies  items  such  as 
the  template  name, 
description,  edge 
weight  type  and  value, 
then  goes  to  other 
forms  to  enter  specific 
requirements  for  the 
subject  and  object 
processes. 
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Attack  Template  Creation 


This  form  allows  the  user  to 
specify  various  requirements 
on  how  the  attacker  starts  a 
process,  including  the  CPU 
type  and  OS  type  of  the  source 
machine,  the  process  name,  the 
privilege  level  the  attacker  is 
using  (denoted  by  access 
token),  and  the  execution 
environment  in  which  the 
service  or  process  is  running. 
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Attack  Template  Creation 


This  form  allows  the 
user  to  speeify  the 
“new  state”,  that  is  the 
state  on  the  attaek 
destination  maehine 
that  oeeurs  after  the 
attaek  has  oecurred.  In 
this  example,  the 
attaeker  turns  on  a 
telnet  server  on  the 
destination  maehine. 
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Example  Attack  Template  File 


Template  ftp  logon 
Requirements: 

(cpu  =  "Intel  Pentium  II  processor", SRC) 

(ostype  =  "Microsoft  Windows  2000  Professional", SRC) 
("Service-FTPServer",SRC) 
(SAP-PAT="AnyAccount-Users",SRC) 
("ObjectEnvironment- Win32  Client",SRC) 

(cpu  =  "Intel  Pentium  II  processor ",DEST) 

(ostype  =  "Microsoft  Windows  2000  Professional",DEST) 
("Service-FTPServer",DEST) 

(O  AP-P  AT= "  AnyAccount-B  ackupOperator  s "  ,DEST) 

( "  Obj  cctEnvironment- W in3  2  Client"  ,DEST) 

Added  V  ulnerabilities : 

("Write-PileName",DEST) 

Label:  ftp  logon 
EdgeWt:  .3 
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240 

OS  {type  "Microsoft  Windows  NT  Workstation"} 
OS  (rel  "Service  Pack  6,  4.0.1381"} 

CPU  { “Intel  Pentium  II  Processor” } 

VULN  ("Domain  =  CSU821"} 


VULN  ("Primary-User  =  SYSTEM"} 
VULN  { "Service- Alerter-Stopped" } 
VULN  { "Service-Alerter-LocalSystem" } 
VULN  {"Service-Browser-Running"}  -4- 
VULN  { "Service-Browser- LocalSystem" } 

VULN  { "Application-OUTLOOK.EXE" } 
VULN  { "Application-OUTLOOK.TXT" } 
VULN  { "Application-OUTLSPEC.INI" } 
VULN  { " Application-OUTSIDER.EXE" } 
VULN  { "Application-packager.exe" } 
VULN  { "Application-PageKeep.exe" } 
VULN  { "Application-pax.exe" } 


VULN  { "Application-pbrush.exe" } 
VULN  {"Application-pc.ini"} 

VULN  { "Application-PERFMON.EXE" } 


Example  Machine  File 


The  machine  files 
include  information 
gathered  by 
Microsoft’s  SMS 
system,  including  OS 
type  and  release,  CPU 
type,  domain  names, 
and  service  and 
application  files. 
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•  Single  shortest  path  not  a  good  security  measure  since  edge  weights  are  approximations 

•  Set  of  all  near-optimal  paths  is  better  reflection  of  total  system  security 

-  more  robust 

-  set  of  edges  on  many  near-optimal  paths  together  represent  most  vulnerable  points 

-  still  efficiently  computable  (Naor,  Brutlag  '93  for  directed  graphs) 

•  Shortest  path  may  not  be  the  one  with  the  fewest  steps.  As  shown  below,  the 
highlighted  path  is  shorter,  though  it  involves  three  steps  compared  to  two  steps  on  the 
lower  path.  The  edge  weights  may  represent  probability  of  detection  or  attacker  cost. 
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Graph  Generator 


This  is  the  main  form 
for  running  the  graph 
generator  eode.  It 
includes  menus  for 
specifying  the 
directories  where  the 
templates  and 
configuration  files  are 
located,  specifying  run 
options,  specifying  a 
start  node,  and  running 
the  program. 
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^  config 


Graph  Generator 


Configure  input  source: 

Template  Directory: 
Machine  Config  Directory: 
Ranked-Vars  Config  RIe: 


j/home/dellis/netv/templ 

Browse  | 

/home/dellis/netv/confl 

Browse  | 

;templatel|cfg 

Browse  | 

V  DB 


DB  host 
DB  name 
DB  password 
DB  port 


|champ. mp.sandia.gov 

|netv 

|5432 

Gose  1 

This  form  allows  one  to  specify  the 
location  of  the  templates  and 
configuration  files 
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ll^run 

Graph  generator  output: 

Gear 

Eegf inning  Run 

Command!  graphlt  -T  "templatel.  cfg"  -t  "Aome/dellis/netv/templ"  -c 
"Aome/dellis/netv/confl"  -v  1  -R  "1"  -s  "+start"  -o  "out.  dot" 


vul  RflHKED^  num  vals  =  0 

Dependence  on  OSTVPE,  values  breakdown  (first  #  is  sise):  9 
defaults  (first  #  is  size):  9  :  -1  -1  -1  -1  -1  -1  -1  -1  -1 
-label  (osrel)  alloc  size  G 


0  0  0  0  0  0  0  0  0 


warning:  rewriting  osrel 
vul  RflHKED^  num  vals  =  0 

Dependence  cn  OSTVFE,  values  breakdcwn  (first  #  is  size):  9:  000000000 
defaults  (first  #  is  size):  9  :  -1  -1  -1  -1  -1  -1  -1  -1  -1 
-label  (csrel)  alloc  size  G 

warning:  rewriting  osrel 
vul  RflHKED^  num  vals  =  0 

Dependence  cn  OSTYRE,  values  breakdcwn  (first  #  is  size):  9:  000000000 
defaults  (first  #  is  size):  9  :  -1  -1  -1  -1  -1  -1  -1  -1  -1 


Example  text  output 
during  an  actual  run 
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^cestor  Graph  Example 


DomainBBackupAccountCredentials 


Sandia  National  Laboratories 


L  0  csd  S  ervice  A  ccount  Snatcher  t21  \  L  o  cal  S  ervice  A  ccount  Snatcher  t2  s 
25  \  50,  #1 


A  =  Win32  Client 
B  =  Command  Shell 
C  =  GetServiceUserTool 
D  =  Application-MSTSC.exe 
E  =  Local-Groups  =  Administrator 
F  =  LocalLogon 
G  =  CSU8 80-Backup- Account 
H  =  CSU8 80- Administrator- Account 
I  =  Local-CSU880-Backup-Accnt 
J  =  Local-CSU8 80- Administrator- Acdnt 


Create  L  o  cal  D  omain  B  ackup  A  ccount  T3  A  L  o  cal  S  ervice  A  ccount  Snatcher  t21 
100  \  25,  #1 


et  Remote  Services  Accounts  T4 
75,  n 
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Functional  Architecture 


Configuration 
Management  Tools 


Vulnerability 
Scanning  Tools 


List  ol 

capabil 

attack(; 


tools, 
ities  the 
r  holds 


8-optimal 
Shortest  Path 
Analysis  Code 


List  of 
on  ma* 


vulnerabilities  Lisf^)f 


chines 


Configuration  Files 


1 

r 

Graph  Generator 

Aftack  Graph 
^ist  of  nodes, 
edges,  and 
edge  weights) 

List  of  No 
and  shorte 
informatio 

ies,  edges, 
st  path 
n 

r 

Configuratic^ info : 
Vulnerabhities  on  machines, 

OS  typdfHW  type,  etc 


Temph 

(requin; 

attacks 


ates 

ments  for 
to  occur) 


Display  Graph 
Highlight  shortest  paths 
Allow  zooming,  “click  for 
detail”  capability 
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Data  Architecture 

_  We  have  designed  an  "intermediate''  database  that  holds  the 
necessary  fields  from  commercial  databases  (e.g.  ISS,  Microsoft) 

_  We  have  written  queries  to  pull  the  data  from  the  intermediate 
database  to  the  C++  data  structures  for  graph  generation 

_  Use  of  standardized  terms  in  the  templates  and  configuration  data  to 
ensure  consistency  for  matching  by  the  graph  generator 

_  Preprocess  configuration  data  to  only  include  attributes  that  are 
required  by  one  of  the  templates 

Scaling  Issues 

-  Path  redundancy  elimination 

-  Node  redundancy  elimination 
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Data  Flow 
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Redundant  path  elimination 

•  2  vulnerabilities  (A,  B)  are  independent  if  A  cannot  be  used  directiy  or 
indirectiy  to  acquire  B  and  vice  versa 

•  2  paths  are  redundant  if  they  use  the  same  set  of  tempiates  and  differ 
oniy  in  the  order  of  acquisition  of  independent  vuinerabiiities 

•  We  force  an  ordering  or  ranking  amongst  aii  independent 
vuinerabiiities  to  eiiminate  redundant  paths 

Redundant  node  elimination 

•  In  forward  (exploratory)  phase,  we  generate  sets  of  independent 
attribute  changes  only  if  they  iead  in  combination  to  new  vuinerabiiities 

•  Currentiy  expioring  aigorithms  for  eiimination  of  redundant  nodes 
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Redundancy  Elimination 


Graph  with  no 
redundancy  elimination 


Graph  with  path 
redundancy  elimination 


Graph  with  path  and  node 
redundancy  elimination 
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Graph  with  no 
redundancy  elimination 


Graph  with  path 
redundancy  elimination 


Graph  with  path  and  node 
redundancy  elimination 
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•  Existing  funding  iasts  through  Dec.  01 

•  Looking  for  partners  and  funding  sources  to  continue 
development  of  tool 

•  Potential  uses: 

-  Adversary  modeling  (e.g.,  red  teams) 

-  Network  Design  (security  evaluation  of  design 
alternatives) 

-  In  conjunction  with  intrusion  detection  and  sniffing 
devices 

-  As  a  correlation  tool  to  examine  existing  beliefs  about 
network  insecurity,  correlate  this  with  attack  graph 
results 
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